BitLocker access for authorities: Not so easy with Apple's FileVault since Tahoe
Microsoft is criticized for giving authorities access to SSD encryption. Apple has fixed the problem in FileVault – starting with macOS 26 Tahoe.
Icons of FileVault and iCloud: Before macOS 26, file encryption was easier to crack.
(Image: Apple)
Following reports that Microsoft, under court order, is handing over keys stored on its cloud servers for local SSD protection BitLocker, macOS users are wondering if they face a similar threat. At least until macOS 26 alias Tahoe, the answer, in the style of Radio Yerevan, was: "In principle, yes, but..."
Access without Advanced Data Protection at least conceivable
Before the new operating system released in the fall, users could decide with FileVault: Either the encryption runs purely locally and you write down a recovery key – which, by the way, only appears once – or you stored it in iCloud, thus being able to decrypt FileVault with your Apple Account. If you chose this path, you risked similar trouble as with Microsoft's BitLocker: If state authorities persuaded Apple to grant access to the Apple account including iCloud, access to FileVault was also possible. It is currently unclear how, whether, and how often something like this has already happened – the iPhone company is still processing a corresponding inquiry from Mac & i.
Videos by heise
However, there was a potential solution for this, even if it was not recommended by the operating system by default: the use of advanced data protection for iCloud, in English Advanced Data Protection, or ADP for short. The technology, available since late 2022 / early 2023, ensures that all sensitive content stored with Apple is (finally) end-to-end encrypted and that Apple itself – and thus authorities equipped with court orders who approach Apple – has no access to it. This also secured FileVault access. The problem: Many users simply don't know or find ADP, or are even afraid of the function because Apple can no longer help them after activation if they lose their password (but there are other options for that).
With macOS 26, FileVault becomes more secure
Fast forward to macOS 26: The new operating system has now made FileVault more secure by default. Because instead of optionally storing the recovery key in iCloud, where Apple might get access, the iCloud Keychain is used here. This has been end-to-end encrypted from the start and thus could never be viewed by Apple. Access is only possible in combination with a password and a second factor, which Apple also has no access to, as it is tied to a device owned by the user.
Annoyingly, with FileVault in Tahoe, Apple no longer asks whether synchronization should take place or not. If the iCloud Keychain is active (indicated by "Passwords" being active in the Apple account settings for iCloud), the recovery key is automatically stored there; you can no longer prevent this, as was possible with the insecure pure iCloud storage in macOS 15 and earlier. However, it is useful in macOS 26 that the recovery key can be displayed an unlimited number of times in the FileVault settings. You should definitely note this down and keep it in a safe place, regardless of whether you use the iCloud Keychain or not.
Empfohlener redaktioneller Inhalt
Mit Ihrer Zustimmung wird hier ein externer Preisvergleich (heise Preisvergleich) geladen.
Ich bin damit einverstanden, dass mir externe Inhalte angezeigt werden. Damit können personenbezogene Daten an Drittplattformen (heise Preisvergleich) übermittelt werden. Mehr dazu in unserer Datenschutzerklärung.
(bsc)
